On Saturday 31 May 2008 10:34, "Justin Mattock" <justinmattock@xxxxxxxxx> wrote: > would this have been a better outcome. As for what happened at > comcast, I really don't know, I just don't like hearing story's like > that, The positive side is the hackers exposed holes which can then be > fixed, but in this case the hackers exposed the holes, they just chose > to ignore them,(if this is the case) causing a more of a wakeup call > later in time. http://en.wikipedia.org/wiki/Comcast http://en.wikipedia.org/w/index.php?title=Comcast&oldid=216058661 According to the above page (I give the URLs for the latest page and the specific version that I cite) the comcast hack was based on "gained control of Comcast's domain management console at Network Solutions". http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html The Wikipedia page cites the above Wired article which says "the pair used a combination of social engineering and a technical hack to get into Comcast's domain management console at Network Solutions. They declined to detail their technique, but said it relied on a flaw at the Virginia-based domain registrar". Sufficiently advanced/dedicated/lucky social engineering can get through almost any defence. A majority of such attacks involve tricking someone into giving away their password. It is claimed that there is a flaw with Network Solutions software but no evidence is presented. If the claim is correct then there would be nothing that Comcast could have done in software as the problem would be some combination of Comcast people and procedures combined with NetSol software. Web Apps are a problem area. One question I have been asked a few times is about how to use SE Linux to secure a Web App that does something important. The question often is effectively "how can I make a program which is designed for the specific purpose of managing sensitive data not have the ability to mis-manage it". The answer is that if you have multiple sets of data that you want to keep separate then you can do it, but if you have it all together then there's not much that can be done. I do however have some ideas for ways that it might be possible to use SE Linux to improve the security of Wordpress, I'll have to blog about that. But first I want to get a proof of concept. I expect that like most people the Wordpress developers aren't enthusiastic about suggestions like "here's a way that you could do a heap of work to solve something that you might not even consider to be a bug, I'm not even sure it'll work but I'll tell you anyway". Finally one lesson that can be learned from Comcast is that if some data which is important to your operation unexpectedly gets changed to include profanity then you need to take it as proof of a serious problem which requires immediate action. Also if someone who has no good reason to know your job calls you at home to discuss it then you should listen to what they have to say - once they have demonstrated that they have access to secret data you have to assume that there is more and you need to know what it is. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
